IETF Logo Mail Archive

Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

"David A. Cooper" <david.cooper@nist.gov> Thu, 01 November 2012 14:04 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE65321F8CA9 for <pkix@ietfa.amsl.com>; Thu, 1 Nov 2012 07:04:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.141
X-Spam-Level:
X-Spam-Status: No, score=-5.141 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r2P1YAbkIv+3 for <pkix@ietfa.amsl.com>; Thu, 1 Nov 2012 07:04:21 -0700 (PDT)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id DA05E21F8CAA for <pkix@ietf.org>; Thu, 1 Nov 2012 07:04:20 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.421.2; Thu, 1 Nov 2012 10:04:01 -0400
Received: from smtp.nist.gov (129.6.16.226) by smtp-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.1.421.2; Thu, 1 Nov 2012 10:03:42 -0400
Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id qA1E4H2Q016935; Thu, 1 Nov 2012 10:04:18 -0400
Message-ID: <50928161.3060704@nist.gov>
Date: Thu, 01 Nov 2012 10:04:17 -0400
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20120829 Thunderbird/15.0
MIME-Version: 1.0
To: Stefan Santesson <stefan@aaa-sec.com>
References: <CCB765DE.528BD%stefan@aaa-sec.com>
In-Reply-To: <CCB765DE.528BD%stefan@aaa-sec.com>
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: IETF PKIX <pkix@ietf.org>
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Nov 2012 14:04:21 -0000

Stefan,

In your message yesterday you raised the issue of OCSP responders that have access to a database of issued certificates that are currently valid, but not of the certificates that were issued but that have now expired.  I then noticed that in the straw poll you did not limit the "revoked" response to certificates that have been revoked and certificates that the CA knows haven't never been issued, but indicated that the response could be used whenever the responder 'knows the certificate to be "bad".'  So, it was my understanding that you thought responders could still make use of the proposed expanded definition of "revoked" even if they did not maintain information about expired certificates.

So, which is it?  If a responder has access to a database of issued certificates, but that database does not include certificates that have expired, may the responder reply "revoked" if asked about a serial number that doesn't appear in the database or is it required to respond "good," since the serial number may be referring to a certificate that was issued but that has now expired?

Dave

On 10/31/2012 06:35 PM, Stefan Santesson wrote:

Does your message below mean that you now intend to extend the meaning of "revoked" even further to include certificates that were issued by CA and that were never revoked, but that are now expired? 

No

You got me wrong.

Not issued = never issued.

/Stefan


On 10/31/2012 05:25 PM, Stefan Santesson wrote:
There might be OCSP responders that do have access to a database of issued certs that are currently valid, but not the history of issued certs (expired).
They could not use this extension to include a cert hash as they can't know if a particular serial number of an expired cert is asked for.

Thus it may be wise to separate these issues and keep it simple and just use an OID to indicate this particular behaviour with regard to "revoked" response.
It may be wise therefore to allow a separate process come up with a separate extension for positive confirmations.
Not that I don't like such functionality.

On 10/30/2012 05:52 AM, Stefan Santesson wrote:
Please reply with either:

1. Allow "revoked" response for a certificate that has not been "revoked"
but where that OCSP responder for any other reason knows the certificate
to be "bad".

2. Require that the OCSP responder MUST respond "good" in this situation.

3. Neither 1 or 2 (motivate).

v2.23.0 | Report a Bug | By Email